InsightIDR

Rapid7 Honey Credentials

Overview

In order to use the Honey Credential deception trap, you must have the Rapid7 Insight Agent for Windows installed on your endpoints. If the honey credential feature is enabled, the agent injects a set of fake credentials onto each endpoint. An intruder using a memory dump tool such as MimiKatz who is attempting to use a pass-the-hash attack will likely find these fake credentials, which are given a name to look appealing to an attacker.

This helpful Rapid7 blogpost explains many of the nuances of honey credentials.

As the blog explains, with honey credentials enabled, the Rapid7 Insight Agent injects a set of fake credentials into memory. If these credentials are seen in use anywhere else on the network that is monitored with InsightIDR, an alert is generated.

Configuring Honey Credentials

The honey credential feature is not enabled by default. It is an "opt-in" feature that you must specifically request to be enabled via a Support ticket.

Please Note: Some malware detection software may alert upon finding the honey credentials running in memory.

How to Test Honey Credentials

To test the Honey Credential feature after it is enabled, you should perform a pass-the-hash attack. Download a memory dump/scraping tool such as MimiKatz and use the tool to extract the users/passwords from memory on a system running the Insight Agent.

Black Hills Information Security has more information on how to perform such an attack.

Viewing Results

If you attempt to access something in the environment for which InsightIDR has log data, an alert will be generated. For example, the you might attempt to log into the domain with the credentials and will generate something like the alert below.

Rapid7 Honey Credentials


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.